It’s that time of year again where we look back on 2018 and review the biggest data breaches that occurred. Without any further ado, let’s get started.
USPS: 60 million
In November, the United States Postal Service announced it had fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf. That type of weakness presented a huge opportunity for mail fraud and stalking, among other malicious activity. The really sad part? The weakness was discovered over a year ago by a security researcher but not acted upon until cybersecurity journalist Brian Krebs reached out to the USPS after confirming the researcher’s findings.
Facebook: 90 million
Facebook has had some bad press this year between the fallout from the Cambridge Analytica scandal, Russian interference with the US election in 2016, and now this. On September 25, 2018, Facebook discovered that 50 million user accounts had been compromised as a result of a vulnerability that resulted in access tokens (what’s used to keep you signed into Facebook on all your devices) being illegally accessed. Facebook ended up logging out 90 million accounts total to reset the access tokens, and the company has come under heavy scrutiny from lawmakers in the US and abroad.
MyHeritage: 92 million
The DNA testing and genealogy company disclosed that it suffered the loss of email addresses and encrypted passwords of users who signed up for the service on or before October 26, 2017. 92 million user accounts were affected. The good news is that the passwords were encrypted, meaning they weren’t exposed, and there is no evidence that the data was ever used.
Exactis: 230 million
Exactis is a company you probably hadn’t heard of until this year. They’re a data aggregate firm that is one of those companies that holds rather a lot of personal data. While no Social Security numbers or credit card information was exposed in this breach, the company has a treasure trove of information on Americans including their names, contact information, personal habits, and even names of subjects’ children, all picked up from internet browsers. They announced their data breach in June/July that affected up to 230 million people, making it one of the largest breaches ever. It should be noted that this particular breach wasn’t the result of hackers maliciously breaking into the company’s servers, but rather that those servers were left open on the public internet for anyone to view.
Marriott/Starwood: 500 million
The (most recent) biggie. This breach of Starwood reservation database was discovered in November but is believed to have started as far back as 2014. Anyone who made a reservation at a Starwood property (which includes W hotels, St. Regis, Sheraton, and Westin hotels, among others) on or before September 10, 2018 could be affected. Data accessed includes names, phone numbers and even some rare data such as passport numbers and travel arrival/departure dates. Affected customers may sign up for a year of free monitoring services and visit answers.kroll.com to learn more.
What can we learn from these breaches? For one thing, they can happen to anybody. Data breaches are not just limited to banks. They also demonstrate that security is ultimately the long game, and not just a checkbox you can mark and forget about. Some of these breaches went undetected for months or even years, proving that security is an area that requires an attitude of constant vigilance instead of “well, there’s a firewall, so that pretty much covers everything.”
Unfortunately, as a consumer there is only so much you can do when you entrust your information to third parties. Privacy advocates and some researchers say that a better way to force the issue is to hold corporations who leak data–on purpose or otherwise–accountable to the consumer. That may not be a bad idea, as consumer trust isn’t something to be taken lightly, and companies who actually demonstrate that they care about data security, integrity and privacy are far more likely to be trusted than companies who don’t.
Looking to keep your organization’s data secure? We can help. Our cloud and data protection solutions are specifically designed with the highest degree of security, and our experts will help monitor and manage your environment so you know what’s happening at all times. Contact us to learn more.